MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a5a6c551d8c3ea36aa3d399ed87dc15c9d311bcdcb70f246b8d11fb15622798d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a5a6c551d8c3ea36aa3d399ed87dc15c9d311bcdcb70f246b8d11fb15622798d
SHA3-384 hash: b989df1b14d25f91b32cfe9cbfe3ba09631f1d1a31c97fcd24bd8bb8c6d3e297dd5f92fc5792333c858e9ac080c92623
SHA1 hash: bb172fb5eba822d727332fa4f60206e173aca4e6
MD5 hash: 05f7e1f80d649a842f1728a380901c7f
humanhash: friend-arizona-lake-five
File name:2143453.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:785'408 bytes
First seen:2021-01-08 08:29:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:z/QvNHMNWbQ6x82OtClrDEImx28IYKGpPWl4yUjOjw+kWrjmXlTO:8lHMNgxmSlYvIYXaUjswB6Gl
Threatray 3'308 similar samples on MalwareBazaar
TLSH 9AF4F102B7EB6741E03D67B605A844025BF2ED1DA6B2D53E8FA5309809732524DBDF3B
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: coimtra.cam
Sending IP: 111.90.159.197
From: Valentina Barbin <Barbin@coimtra.cam>
Subject: Re: R: R: new order no. 2143453
Attachment: 2143453.rar (contains "2143453.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
144
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2143453.rar
Verdict:
Suspicious activity
Analysis date:
2021-01-08 03:48:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/555b0732-56e0-43b5-8702-af464e741d91

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/110947/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Launching the process to change network settings
Launching cmd.exe command interpreter
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/576488
Signature
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 337294 Sample: 2143453.exe Startdate: 08/01/2021 Architecture: WINDOWS Score: 100 46 www.thedesailldada.com 2->46 48 www.sphenecouture.com 2->48 50 5 other IPs or domains 2->50 66 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->66 68 Found malware configuration 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 8 other signatures 2->72 10 2143453.exe 7 2->10         started        14 SearchUI.exe 2->14         started        signatures3 process4 file5 38 C:\Users\user\AppData\...\bWcbXUzFez.exe, PE32 10->38 dropped 40 C:\Users\...\bWcbXUzFez.exe:Zone.Identifier, ASCII 10->40 dropped 42 C:\Users\user\AppData\Local\...\tmpC8D7.tmp, XML 10->42 dropped 44 C:\Users\user\AppData\...\2143453.exe.log, ASCII 10->44 dropped 80 Tries to detect virtualization through RDTSC time measurements 10->80 16 2143453.exe 10->16         started        19 schtasks.exe 1 10->19         started        signatures6 process7 signatures8 58 Modifies the context of a thread in another process (thread injection) 16->58 60 Maps a DLL or memory area into another process 16->60 62 Sample uses process hollowing technique 16->62 64 Queues an APC in another process (thread injection) 16->64 21 cscript.exe 16->21         started        24 explorer.exe 16->24 injected 26 conhost.exe 19->26         started        process9 signatures10 74 Modifies the context of a thread in another process (thread injection) 21->74 76 Maps a DLL or memory area into another process 21->76 78 Tries to detect virtualization through RDTSC time measurements 21->78 28 explorer.exe 4 156 21->28         started        32 cmd.exe 1 21->32         started        34 wlanext.exe 24->34         started        process11 dnsIp12 52 www.trainingkanban.com 51.83.43.226, 49752, 80 OVHFR France 28->52 54 www.samcarrt.com 192.64.119.253, 49757, 80 NAMECHEAP-NETUS United States 28->54 56 7 other IPs or domains 28->56 82 System process connects to network (likely due to code injection or exploit) 28->82 36 conhost.exe 32->36         started        signatures13 process14
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a5a6c551d8c3ea36aa3d399ed87dc15c9d311bcdcb70f246b8d11fb15622798d/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-01-08 08:30:17 UTC
AV detection:
6 of 46 (13.04%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uwtmkuoyypvdnkr5hgpnq7oblsotcg6nznypervy2ep3cvrcpggq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0858182cc5f6f5a3c7b96f90c5ea266c4ef22effd00ef54b0a72308ff11e932e
Formbook
200c65040041056006600f5a6ed2bbc3281a6e440a12d24a84544d65e157288e
Formbook
38306ee79d194eb6353428a064ae2a54ad4ef975dfc04ff563150f2f385adf3a
Formbook
421993c96075e5d85af8197bb352abac1828cf974df975c4cf8cf25cc34e1722
Formbook
565a3fc27dfb56071acfd1e8c492eb3becbb587f0167353834e97c3819cc1337
Formbook
641c0aa7cf4d3a8dd646a8a295e8c3f66ea01eb4bc86547c90b52390ca04c2b9
Formbook
9fdd7c91700e8ae665b85b921c9008a728d8a022c669f348c32865b674341333
Formbook
bbd660181713b47240cc63e19eeb05480de79422be73d133113b6472dc17c924
Formbook
e41c50d817a963a03c07188bda3e42f164f1ce189f2875dc7f5125594d4ec159
Formbook
fda9bc94b5b0819fb153117c4a037262264d7d22d2610eafd45c7fbfd4765c7b
Formbook
+ 3'298 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:xloader loader rat spyware stealer trojan
Link:
https://tria.ge/reports/210108-bwyb1kg9me/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of SetThreadContext
Deletes itself
Blocklisted process makes network request
Xloader Payload
Formbook
Xloader
Malware Config
C2 Extraction:
http://www.valiantbranch.com/0wdn/
Unpacked files
SH256 hash:
a5a6c551d8c3ea36aa3d399ed87dc15c9d311bcdcb70f246b8d11fb15622798d
MD5 hash:
05f7e1f80d649a842f1728a380901c7f
SHA1 hash:
bb172fb5eba822d727332fa4f60206e173aca4e6
Link:
https://www.unpac.me/results/6ab3c2b6-5ab2-404a-bb48-ed25c440afd4/
SH256 hash:
296620e9308a1069ca98d27c426f25f5c1f87d9240bb371c657571034b0261b5
MD5 hash:
4cf24d41a7882216740280e3294cb853
SHA1 hash:
6bcb31d3dc0a7d71da1067a628168664202769a4
Link:
https://www.unpac.me/results/6ab3c2b6-5ab2-404a-bb48-ed25c440afd4/
SH256 hash:
256f19cbb878a810875109f28c2054ca54cc405c661b674ec5505880a826d3aa
MD5 hash:
60ee9fccb3496d79fa7e452964ae7d96
SHA1 hash:
f2cc3edbbfa493218fa7fa8a937196ee0dc6855f
Link:
https://www.unpac.me/results/6ab3c2b6-5ab2-404a-bb48-ed25c440afd4/
SH256 hash:
890e5e72222461be09c0c885e7b1f70c63d1cfec5ac245de637af3929b7e7834
MD5 hash:
7a6958c8cec4aec91bbafe23f99276e0
SHA1 hash:
b046b046022e42a868634a6675330933734575f9
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/6ab3c2b6-5ab2-404a-bb48-ed25c440afd4/
Parent samples :
641c0aa7cf4d3a8dd646a8a295e8c3f66ea01eb4bc86547c90b52390ca04c2b9
fda9bc94b5b0819fb153117c4a037262264d7d22d2610eafd45c7fbfd4765c7b
de577499476b9118f1ec1283e41d41c1dafe8be81e7e30daba8ff90685016690
bbd660181713b47240cc63e19eeb05480de79422be73d133113b6472dc17c924
48e91aaa4b96fa73dbc3bdb98ca784031bb6bed5aa790acfb85d258e7738044a
565a3fc27dfb56071acfd1e8c492eb3becbb587f0167353834e97c3819cc1337
a5a6c551d8c3ea36aa3d399ed87dc15c9d311bcdcb70f246b8d11fb15622798d
b9e89d7766f894c102cd449dace5e9c1ef8f3cdca070af5f6ce22a7737eb593a
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a5a6c551d8c3ea36aa3d399ed87dc15c9d311bcdcb70f246b8d11fb15622798d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar a57646f05b0ccf3ecda15f36cb50605e420ef526d5a553b2d11d503aa14f4efc

Formbook

Executable exe a5a6c551d8c3ea36aa3d399ed87dc15c9d311bcdcb70f246b8d11fb15622798d

(this sample)

  
Dropped by
MD5 b96f6d58b40d5cb0a90f6b16889df9a0
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 a57646f05b0ccf3ecda15f36cb50605e420ef526d5a553b2d11d503aa14f4efc
Cape
Cape
https://www.capesandbox.com/analysis/110947/

Comments